DoJ Cripples VPNFilter Botnet, But Doesn't Slay It

The U.S. Department of Justice announced that it has disrupted the VPNFilter botnet revealed by Cisco's Talos Intelligence Group. After obtaining permission from Pennsylvania courts, the FBI seized a domain used by the botnet's command-and-control infrastructure, effectively crippling its ability to act on infected devices. Yet the Justice Department was careful to note that VPNFilter has been crippled, not slain outright.

Cisco said when it revealed VPNFilter that more than 500,000 devices in 54 countries--with a particular focus on Ukraine--had been compromised by the botnet. The malware targeted small and home office (SOHO) products from Linksys, Netgear, TP-Link, and MikroTik, as well as unidentified NAS devices. These products make particularly good targets because they're rarely protected by antivirus solutions and other security tools.

Targeting SOHO products and NAS devices also gives VPNFilter's operators plenty of options. Cisco said the malware could be used to collect information that passes through the infected devices, to conduct attacks that appeared to be conducted by their victims, and even to render the devices completely inoperable, which could in turn potentially disrupt the internet access of hundreds of thousands of people.

Cisco also said that it had noticed two spikes in VPNFilter activity in May (one on May 8, one on May 17) which is why the company decided to reveal the botnet's existence before finishing its research. It's no wonder, then, why the Justice Department announced that it was taking action to disrupt VPNFilter the same day it was revealed. VPNFilter isn't a potential problem; it's considered a real threat to national security.

Here's what the Justice Department said about its efforts to disrupt VPNFilter:

In order to identify infected devices and facilitate their remediation, the U.S. Attorney’s Office for the Western District of Pennsylvania applied for and obtained court orders, authorizing the FBI to seize a domain that is part of the malware’s command-and-control infrastructure. This will redirect attempts by stage one of the malware to reinfect the device to an FBI-controlled server, which will capture the Internet Protocol (IP) address of infected devices, pursuant to legal process. A non-profit partner organization, The Shadowserver Foundation, will disseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign CERTs and internet service providers (ISPs).

The Justice Department also advised anyone who owns SOHO or NAS products that may have been infected by VPNFilter to restart their devices. That should temporarily remove the second stage of the malware from the device, and even though the first stage will linger and attempt to reinstall the second stage, the FBI's seizure of the domain used by VPNFilter's command-and-control infrastructure should block those efforts.

VPNFilter Appears To Be The Work Of Russian Hackers

Cisco didn't attribute VPNFilter to any particular organization, but it did talk about what nation-state actors could do with the botnet, prompting fears that it was controlled by a government organization. The Justice Department went a step further and outright attributed VPNFilter to the Sofacy Group, which also goes by APT28, Fancy Bear, Pawn Storm, and other aliases and has been active since at least 2007.

The FBI and Department of Homeland Security said in December 2016 that the Sofacy Group was connected to Russian intelligence services and government officials. Combine that with VPNFilter's apparent focus on Ukraine, where Russia currently holds a military presence, and the connection between this botnet and an organization with at least some loose ties to the Russian government becomes even clearer.

That doesn't mean other countries have nothing to fear from the botnet, however. Cisco said it had already found infected devices in 53 countries outside Ukraine, and the apparent targets (Linksys, Netgear, etc.) ship products around the world. Hence the Justice Department's swift response.